Privacy Policy

Last updated: April 18, 2026

HIPAA GDPR PIPEDA

1. Overview

Skeleton Health ("we", "us", "our") provides a decentralized platform for patients to store, manage, and share encrypted health records using blockchain technology. This privacy policy explains how we handle your information.

Core principle: Your health data is encrypted with your own keys before it leaves your device. We cannot read, access, or share your health records. Only you control who sees your data.

2. Information We Collect

Blockchain transactions: When you register, upload, grant access, or revoke access, these actions are recorded on the Polygon blockchain. This includes your wallet address, IPFS content hashes, and timestamps. This data is public by nature of blockchain technology.
Encrypted health records: Health data you upload is encrypted client-side using AES-256-GCM encryption before being stored on IPFS. We never see the unencrypted content.
Essential cookies: We use localStorage to maintain your session state and preferences (e.g., cookie consent). No tracking cookies, no analytics cookies, no third-party cookies.

3. Information We Do NOT Collect

We do not collect personal identifying information (name, email, phone)
We do not collect or store your private keys or encryption keys
We do not track your browsing behavior or use analytics
We do not share any data with third parties for advertising or marketing
We do not collect location data

4. How Your Data is Stored

Health records: Encrypted with AES-256-GCM and stored on IPFS (InterPlanetary File System), a decentralized storage network. Only you hold the decryption key.
Access registry: Stored on the Polygon blockchain (Layer 2), providing immutable, transparent record of who has access to what.
Session state: Stored locally in your browser using localStorage. Never sent to our servers.

5. Data Sharing

Health records are only shared when you explicitly grant access to a healthcare provider. You control:

Who can access your records (by wallet address)
How long access lasts (time-limited grants)
When to revoke access (instant, permanent revocation)

We never share your data with insurance companies, employers, or any third party without your explicit, recorded consent on the blockchain.

6. Your Rights (GDPR / PIPEDA)

Right to access: Export all your data at any time (Settings → Export Data)
Right to rectification: Upload corrected records; previous versions remain on blockchain but can be marked as superseded
Right to erasure: Delete your account and local data. Note: encrypted data on IPFS and blockchain records cannot be removed from those networks, but without your encryption key, the data is permanently unreadable
Right to portability: Export all records in standard JSON format
Right to restrict processing: Revoke all provider access at any time
Right to object: Disconnect your wallet at any time

7. HIPAA Compliance

Skeleton Health is designed with HIPAA Security Rule requirements in mind:

Encryption: All Protected Health Information (PHI) is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3)
Access controls: Patient-controlled grants with time limits and instant revocation
Audit controls: All access events are immutably recorded on the blockchain
Integrity controls: Blockchain ensures records cannot be tampered with
Minimum necessary: Providers only see records you explicitly share

8. Data Retention

Encrypted records on IPFS persist as long as they are pinned. You control this. When you delete your account:

Your encryption key is destroyed locally
Encrypted data on IPFS becomes permanently unreadable
Blockchain transaction records remain (immutable by design) but contain only wallet addresses and hashes — no readable health data

9. Third-Party Services

MetaMask: Browser wallet extension. We do not receive your private keys. See MetaMask Privacy Policy
Polygon: Layer 2 blockchain. Transactions are public. See Polygon Privacy Policy
IPFS: Decentralized storage. Encrypted blobs only. See IPFS Privacy

10. Security Measures

Client-side encryption (AES-256-GCM) — data encrypted before leaving your device
No server-side key storage — we never have your encryption keys
Blockchain-based audit trail — tamper-proof record of all access
Time-limited access grants — automatic expiration
Emergency access protocol — logged, 72-hour limit, revocable

11. Children's Privacy

Skeleton Health is not intended for use by children under 16. We do not knowingly collect information from minors.

12. International Users

Data is stored on decentralized networks (IPFS, Polygon) and may be located in multiple jurisdictions. By using our service, you consent to this. We comply with Canadian PIPEDA, EU GDPR, and US HIPAA regulations.

13. Changes to This Policy

We may update this policy periodically. Changes will be posted on this page with an updated "Last updated" date. Continued use constitutes acceptance of changes.

14. Contact

For privacy questions or data requests:

Email: [email protected]
Data Protection Officer: [email protected]

      Medical Disclaimer: Skeleton Health is NOT a medical device and does NOT provide medical advice, diagnosis, or treatment. This platform is for secure storage and sharing of health records only. Always seek the advice of a qualified healthcare provider with any questions regarding medical conditions.
    

← Back to Skeleton Health